英文:
Vaultwarden behind traefik
问题
以下是翻译后的内容:
对于“演示”,我正在使用带有Nginx代理的“一体化”文件。
version: "3.9"
services:
proxy:
image: nginx:latest
container_name: proxy
restart: always
ports:
- "80:80"
environment:
- TZ=Europe/Brussels
volumes:
- ./config/nginx.conf:/etc/nginx/nginx.conf:ro
- ./config/conf.d:/etc/nginx/conf.d:ro
networks:
- proxy
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- LOG_LEVEL=debug
volumes:
- "data:/data/"
networks:
- proxy
volumes:
data:
networks:
proxy:
name: proxy_network
和
server {
listen 80;
server_name 127.0.0.1;
resolver 127.0.0.11;
set $vaultwarden_upstream vaultwarden;
location /vaultwarden/ {
rewrite ^/vaultwarden/(.*) /$1 break;
proxy_pass http://$vaultwarden_upstream;
}
}
它可以正常工作。在浏览器中,我可以访问http://127.0.0.1/vaultwarden并看到登录页面。
在日志中,我可以看到:
172.28.0.1 - - [08/Jan/2023:18:15:42 +0100] "127.0.0.1" "GET /vaultwarden/ HTTP/1.1" 200 628 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
172.28.0.1 - - [08/Jan/2023:18:15:42 +0100] "127.0.0.1" "GET /vaultwarden/theme_head.5f24ba8d7aa944e6f52b.js HTTP/1.1" 200 474 "http://127.0.0.1/vaultwarden/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "..."
和
[2023-01-08 17:15:42.693][request][INFO] GET /
[2023-01-08 17:15:42.693][response][INFO] (web_index) GET / => 200 OK
[2023-01-08 17:15:42.706][request][INFO] GET /theme_head.5f24ba8d7aa944e6f52b.js
...
现在我正在尝试迁移到Traefik。
version: "3.9"
services:
proxy:
image: traefik:v2.9
container_name: proxy
restart: unless-stopped
command:
- "--accesslog=true"
- "--log.level=INFO"
- "--api.insecure=true"
- "--entrypoints.web.address=:80"
- "--providers.docker=true"
- "--providers.docker.network=proxy_network"
- "--providers.docker.exposedbydefault=false"
ports:
- 80:80
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- proxy
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- LOG_LEVEL=debug
labels:
- "traefik.enable=true"
- "traefik.http.services.vaultwarden-service.loadbalancer.server.port=80"
- "traefik.http.middlewares.vaultwarden-strip-prefix.stripprefix.prefixes=/vaultwarden"
- "traefik.http.routers.vaultwarden.entrypoints=web"
- "traefik.http.routers.vaultwarden.rule=PathPrefix(`/vaultwarden`)"
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-strip-prefix@docker"
- "traefik.http.routers.vaultwarden.service=vaultwarden-service"
volumes:
- "data:/data/"
networks:
- proxy
volumes:
data:
networks:
proxy:
name: proxy_network
但它不再起作用。
在日志中:
172.30.0.1 - - [08/Jan/2023:17:36:01 +0000] "GET /vaultwarden HTTP/1.1" 200 1240 "-" "-" 105 "vaultwarden@docker" "http://172.30.0.2:80" 1ms
172.30.0.1 - - [08/Jan/2023:17:36:01 +0000] "GET /theme_head.5f24ba8d7aa944e6f52b.js HTTP/1.1" 404 19 "-" "-" 106 "-" "-" 0ms
...
和
[2023-01-08 17:36:01.836][request][INFO] GET /
[2023-01-08 17:36:01.836][response][INFO] (web_index) GET / => 200 OK
...
当然,Traefik日志中没有更多信息,因为对/theme_head.5f24ba8d7aa944e6f52b.js的GET请求未重定向到容器。
为什么会有这样的区别?为什么第二个(以及后续的所有)GET请求中似乎移除了/vaultwarden?
我不明白。我漏掉了什么?
编辑
使用http://127.0.0.1/vaultwarden不起作用,使用http://127.0.0.1/vaultwarden/起作用。
我还尝试将vaultwarden图像替换为其他图像
image: containous/whoami
或
image: portainer/portainer-ce
它总是起作用。无论是使用http://127.0.0.1/vaultwarden还是http://127.0.0.1/vaultwarden/。
但是,如果vaultwarden在Nginx中正常工作,为什
英文:
For the 'demonstration' I'm using that 'all-in-one' file with nginx proxy
version: "3.9"
services:
proxy:
image: nginx:latest
container_name: proxy
restart: always
ports:
- "80:80"
environment:
- TZ=Europe/Brussels
volumes:
- ./config/nginx.conf:/etc/nginx/nginx.conf:ro
- ./config/conf.d:/etc/nginx/conf.d:ro
networks:
- proxy
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- LOG_LEVEL=debug
volumes:
- "data:/data/"
networks:
- proxy
volumes:
data:
networks:
proxy:
name: proxy_network
and
server {
listen 80;
server_name 127.0.0.1;
resolver 127.0.0.11;
set $vaultwarden_upstream vaultwarden;
location /vaultwarden/ {
rewrite ^/vaultwarden/(.*) /$1 break;
proxy_pass http://$vaultwarden_upstream;
}
}
It is working fine. In my browser I can go to http://127.0.0.1/vaultwarden ans see the login page.
In the logs I can see
172.28.0.1 - - [08/Jan/2023:18:15:42 +0100] "127.0.0.1" "GET /vaultwarden/ HTTP/1.1" 200 628 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
172.28.0.1 - - [08/Jan/2023:18:15:42 +0100] "127.0.0.1" "GET /vaultwarden/theme_head.5f24ba8d7aa944e6f52b.js HTTP/1.1" 200 474 "http://127.0.0.1/vaultwarden/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
...
and
[2023-01-08 17:15:42.693][request][INFO] GET /
[2023-01-08 17:15:42.693][response][INFO] (web_index) GET / => 200 OK
[2023-01-08 17:15:42.706][request][INFO] GET /theme_head.5f24ba8d7aa944e6f52b.js
...
Now I'm trying to migrate to traefik
version: "3.9"
services:
proxy:
image: traefik:v2.9
container_name: proxy
restart: unless-stopped
command:
- "--accesslog=true"
- "--log.level=INFO"
- "--api.insecure=true"
- "--entrypoints.web.address=:80"
- "--providers.docker=true"
- "--providers.docker.network=proxy_network"
- "--providers.docker.exposedbydefault=false"
ports:
- 80:80
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- proxy
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- LOG_LEVEL=debug
labels:
- "traefik.enable=true"
- "traefik.http.services.vaultwarden-service.loadbalancer.server.port=80"
- "traefik.http.middlewares.vaultwarden-strip-prefix.stripprefix.prefixes=/vaultwarden"
- "traefik.http.routers.vaultwarden.entrypoints=web"
- "traefik.http.routers.vaultwarden.rule=PathPrefix(`/vaultwarden`)"
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-strip-prefix@docker"
- "traefik.http.routers.vaultwarden.service=vaultwarden-service"
volumes:
- "data:/data/"
networks:
- proxy
volumes:
data:
networks:
proxy:
name: proxy_network
But it is not working anymore.
In the logs
172.30.0.1 - - [08/Jan/2023:17:36:01 +0000] "GET /vaultwarden HTTP/1.1" 200 1240 "-" "-" 105 "vaultwarden@docker" "http://172.30.0.2:80" 1ms
172.30.0.1 - - [08/Jan/2023:17:36:01 +0000] "GET /theme_head.5f24ba8d7aa944e6f52b.js HTTP/1.1" 404 19 "-" "-" 106 "-" "-" 0ms
...
and
[2023-01-08 17:36:01.836][request][INFO] GET /
[2023-01-08 17:36:01.836][response][INFO] (web_index) GET / => 200 OK
...
Of course nothing more in the traefik log because the GET on /theme_head.5f24ba8d7aa944e6f52b.js is not redirected to the container.
Why such a difference ? Why the /vaultwarden seems to be removed from the second (and all followings) GET ?
I don't understand. What am I missing ?
edit
With http://127.0.0.1/vaultwarden it is not working, with http://127.0.0.1/vaultwarden/
I also tried replacing vaultwarden image with other ones
image: containous/whoami
or
image: portainer/portainer-ce
And it is always working. Both with http://127.0.0.1/vaultwarden and http://127.0.0.1/vaultwarden/
But if vaultwarden is working with nginx, why it's not working with traefik without adding a trailing / ?
答案1
得分: 0
最简单的解决方法是通过将对 /vaultwarden 的请求重定向到 /vaultwarden/ 来添加尾随斜杠。我们可以使用 redirectregex 中间件来实现这一点。
具体的规则如下:
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-add-slash,vaultwarden-strip-prefix"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.regex=/vaultwarden$$"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.replacement=/vaultwarden/"
- "traefik.http.middlewares.vaultwarden-strip-prefix.stripprefix.prefixes=/vaultwarden"
以下是我用于测试的完整配置:
services:
proxy:
image: traefik:v2.9
container_name: proxy
restart: unless-stopped
command:
- "--accesslog=true"
- "--log.level=INFO"
- "--api.insecure=true"
- "--entrypoints.web.address=:80"
- "--providers.docker=true"
- "--providers.docker.network=proxy_network"
- "--providers.docker.exposedbydefault=false"
ports:
- 80:80
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- proxy
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- LOG_LEVEL=debug
labels:
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.entrypoints=web"
- "traefik.http.routers.vaultwarden.rule=PathPrefix(`/vaultwarden`)"
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-add-slash,vaultwarden-strip-prefix"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.regex=/vaultwarden$$"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.replacement=/vaultwarden/"
- "traefik.http.middlewares.vaultwarden-strip-prefix.stripprefix.prefixes=/vaultwarden"
volumes:
- "data:/data/"
networks:
- proxy
volumes:
data:
networks:
proxy:
name: proxy_network
你可能已经注意到了,但是这点让我感到惊讶:vaultwarden 镜像上设置了健康检查,因此它需要大约一分钟才能变为“健康”。Traefik 不会将流量转发到容器,直到容器变为健康状态。
英文:
The easiest way to solve this is to add the trailing slash by redirecting requests for /vaultwarden to /vaultwarden/. We can do that with the redirectregex middleware.
The specific set of rules look like this:
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-add-slash,vaultwarden-strip-prefix"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.regex=/vaultwarden$$"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.replacement=/vaultwarden/"
- "traefik.http.middlewares.vaultwarden-strip-prefix.stripprefix.prefixes=/vaultwarden"
Here's a complete configuration that I used for testing:
services:
proxy:
image: traefik:v2.9
container_name: proxy
restart: unless-stopped
command:
- "--accesslog=true"
- "--log.level=INFO"
- "--api.insecure=true"
- "--entrypoints.web.address=:80"
- "--providers.docker=true"
- "--providers.docker.network=proxy_network"
- "--providers.docker.exposedbydefault=false"
ports:
- 80:80
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- proxy
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- LOG_LEVEL=debug
labels:
- "traefik.enable=true"
- "traefik.http.routers.vaultwarden.entrypoints=web"
- "traefik.http.routers.vaultwarden.rule=PathPrefix(`/vaultwarden`)"
- "traefik.http.routers.vaultwarden.middlewares=vaultwarden-add-slash,vaultwarden-strip-prefix"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.regex=/vaultwarden$$"
- "traefik.http.middlewares.vaultwarden-add-slash.redirectregex.replacement=/vaultwarden/"
- "traefik.http.middlewares.vaultwarden-strip-prefix.stripprefix.prefixes=/vaultwarden"
volumes:
- "data:/data/"
networks:
- proxy
volumes:
data:
networks:
proxy:
name: proxy_network
You're probably already aware of this, but it caught me by surprise: there is a healthcheck set on the vaultwarden image, so it takes a minute or so before it becomes "healthy". Traefik won't forward traffic to the container until it is healthy.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论